How To: Configure Your Windows Firewall for Shavlik Protect

Version 15

    Purpose


    The following article explains how to configure Windows Firewall to allow Shavlik Protect in every supported environment via the GUI, command prompt, and GPO. (Scroll to the bottom to see Protect's Port Requirements)

     

    Description

     

    Configuring Firewall

     

    How to configure the Firewall in Windows XP and Windows Server 2003

     

    1. Click Start > Control Panel > Security Center
    2. In Windows Security Center, under Manage Security Settings click Windows Firewall
    3. Under Programs and Services, select the check box for File and Printer Sharing and click OK
    4. Navigate to the Exceptions tab and click on the Add Port.. button
    5. In the Name box, enter any name you wish (i.e. Protect1, Protect2, etc)
    6. In the Port number box, enter your desired port, Select TCP or UDP and hit OK
    7. Next, navigate back to the Add Ports.. button under the Firewall Exceptions and create a second rule
    8. Repeat Steps 5-6 for all desired Ports.

     

     

    How to configure the Firewall in Windows Vista

     

    1. Click Start > Control Panel > Security > Windows Firewall
    2. Click Allow a program through Windows Firewall.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
    3. Click Add port
    4. In the Name box, enter any name you wish (i.e. Protect1, Protect2, etc)
    5. In the Port number box, enter your desired port, Select TCP or UDP and hit OK
    6. Repeat on steps 3-5 until all ports below have been entered.

     

     

    How to configure the Firewall in Windows 7, Windows 8, Server 2008 and Windows Server 2012

     

    1. Click Start > Control Panel > Security > Windows Firewall
    2. Click Advanced Settings
    3. Select Inbound  rules
    4. Click New Rule.. in the right action window
    5. Select Port and hit Next
    6. Select TCP and Specific local ports:
    7. Add your desired ports into the port field and hit Next
    8. Select Allow the Connection, hit Next
    9. Check all three boxes: Domain, Private and Public, then hit Next
    10. Give the rule any name and description you wish, and hit Finish
    11. Click Advanced Settings again
    12. Select Outbound rules this time
    13. Repeat steps 4-10

     

    Opening Ports Using GPO   

     

    To create rules using Server 2003 GPO:

     

    1. Log on to a machine on the network with domain administrator privileges. The machine needs to be running Microsoft Windows XP SP1 or Microsoft Windows Server 2003.
    2. Download and install the .NET framework (Required for the next step)
    3. Download and install the Microsoft Group Policy Management Console (GPMC). The GPMC can be downloaded from:http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
    4. To launch GPMC, click Start > Run and type in gpmc.msc
    5. Expand the tree under the forest you will be updating
    6. Expand the tree under Domains and expand the domain which you will be updating
    7. Right click Default Domain Policy or the GPO you will be applying the changes to, and select Edit…

     

    Do the following in the Group Policy Object editor MMC:

     

    1. Go to Computer Configuration > Administrative Templates > Network > Network Connection > Windows Firewall > Domain Profile
    2. Double click the entry Windows Firewall: Define port exceptions
    3. Select Enabled
    4. Click the Show… button to bring up the port exception list dialog
    5. Select the Add… button
    6. Specify the required port using the following syntax/convention: <port>:<transport>:<scope>:<status>:<name>

     

    For example, to allow connections on port 139 from the IP addresses in the local subnet, configure the rule as follows:  139:TCP:localsubnet:enabled:SMB

     

    Repeat steps 5 & 6 to add the following ports:

     

    How to create rules using Windows Server 2008 (including R2) GPO and Server 2012

     

    To enable Firewall permissions on all domain clients:

     

    1. Click Start > Administrative Tools > Group Policy Management
    2. Expand Group Policy Management > Forest > Domains > <Domain name> > Group Policy Objects
    3. Right click Default Domain Policy and select Edit
    4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security, then right click Inbound Rules and select New Rule…
    5. In the New Inbound Rule Wizard, select Port and click Next
    6. Select Specific Local Ports and type your desired Port numbers and click Next
    7. Select Allow the Connection and click Finish
    8. From Group Policy Management Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security, then right click Outbound Rules and select New Rule…
    9. Repeat Steps 5 to 7 and allow your desired ports.
    10. Close the Group Policy Management Editor
    11. From Group Policy Management, expand Group Policy Management > Forest > Domains > <Domain name> > Default Domain Controllers Policy
    12. Repeat steps 4 to 9
    13. Close Group Policy Management

     

     

    Additional Information

     

    Port Requirements for Protect. (taken from this document Port Requirements for Shavlik Protect)

     

    This table outlines the port requirements for inbound ports:


                                                                                                                                                                                

    InboundPort
    Client System – Asset Scans

    TCP 135

    Client System – Patch Scans and Deployments

    TCP 137-139 or TCP 445

    Client System – Listening Agents

    TCP 4155

    Client System – Scheduler

    TCP 5120

    Client System – WOL

    UDP 9

    Protect Console – Traffic to Shavlik Console serviceTCP 3121
    Distribution Server – HTTP configurationTCP 80
    Distribution Server – HTTPS configurationTCP 443
    Distribution Server – UNC configurationTCP 137-139 or TCP 445

     

    This table outlines the port requirements for outbound ports:

     

                                                                                                                                        

    OutboundPort
    Client System – AgentsTCP 80
    Client System – Agentless scansTCP 139 or TCP 445
    Client System – Agents & Deployment TrackerTCP 3121
    Protect Console – Patch and data downloadsTCP 80
    Protect Console – Patch Scans and DeploymentsTCP 139 and TCP 445
    Protect Console – SchedulerTCP 5120
    Protect Console – WOL and error reportingUDP 9


    ***Some information may have been referenced from http://kb.gfi.com/articles/SkyNet_Article/How-to-prepare-your-firewall-to-allow-proper-communication-between-agents-and-…

     

     

    Affected Product(s)

     

    Shavlik Protect 9.x